
Martin Hořický
Take social engineering to the next level with hot plug attacks (HAK5), which are devices hidden in the packaging of a common USB flash drive, network cable, wi-fi receiver and other devices.
Hot plug works largely on human vulnerabilities. For example, for devices that hide in the packaging of a flash drive - RubberDucks - the device is identified on the computer as a keyboard or mouse, and the device can easily be infiltrated. That's because virtually every computer, whether a desktop PC, laptop, tablet or smartphone, takes input from a human operator via keyboard, mouse or touch. This is the reason ehy the ubiquitous HID - Human Interface Device - standard was created. Simply put, if you connect a device to a USB that claims to be an HID standard keyboard, the vast majority of operating systems will automatically detect and connect it. Windows, Mac, Linux or Android - it's simply a keyboard.
The simplicity is taken into account, for example in the scripting language used in these devices. Writing a payload is as simple as writing in a notepad.
It is a form of attack where the attacker tries to lure user´s data by using a fraudulent e-mail message or a page that resembles a familiar website or e-mail address. When the attack is successfully carried out, login data or even access data to bank accounts is stolen. The best targeted group is the elderly, who do not have sufficient knowledge in Internet security and are easily lured by fraudulent e-mails.
Most often, phishing attacks can be associated with topics such as:
However, there are ways to effectively defend against phishing attacks. In addition to properly set mail hygiene in the company (allowed and forbidden mail servers, spam filters, content filters, etc.), it is very important to ensure that employees are regularly trained in cybersecurity, thus ensuring their vigilance.
OUR APPROACH AND SOLUTIONS
Social engineering is usually the first step to infiltrating a company. At BDO, we implement smishing and phishing campaigns, the aim of which is to verify how many of target users fall victim to social engineering.
Campaign steps:
Martin Hořický